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(57) The present invention relates to computer virus 
and more particularly to a method and system for using 
a virus-free file certificate. The method, for use in a serv- 
er (1 01 ) or client (1 00) system, comprises the steps of: 

• determining (400) whether a virus-free certificate 
(200) is associated with a file; if a virus-free certifi- 
cate is associated with the file: 

• authenticating (404) the virus-free certificate (200), 
said virus-free certificate comprising a certificate 
signature (206); 

• authenticating (407) the file, said virus-free certifi- 
cate (200) comprising a file signature (207), said file 
signature certifying that said file has been declared 
virus-free by a virus-free certificate authority (102). 




Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 




CsJ 
< 

O 
IO 

co 

Q- 
UJ 



Printed by Jouve, 75001 PARIS (FR) 



BNSDOCID; <EP 1 3 1 5067A2_I_> 



1 



BP 1 315 067 A2 



2 



Description 
Technical field 

[0001] The present invention relates to computer vi- 
rus and more particularly to a method and system for 
using in a server or client system a virus-free file certif- 
icate generated in a virus-free certificate authority. 

Background of the invention 

[0002] Among all computing and networking security 
issues, the most important cause of concern does not 
come from intrusions, but from the widespread prolifer- 
ation of viruses. Viral infections represent the great ma- 
jority of all security incidents. 

Virus Protection 

[0003] Virus protection for large organizations has be- 
come more and more complex and difficult because of: 

• the combined use of heterogeneous systems and 
practices, 

• the widespread use of distributed or client/server 
systems, and 

• the free exchange of data files via network sharing, 
e-mail, Internet ... 

[0004] Until recently, viral infections threatened only 
data residing on storage media, such as hard drives and 
floppy disks. However, with the emergence of macro vi- 
ruses, the threat has spread to applications. Most or- 
ganizations are not aware of this level of penetration and 
are not organized to manage and prevent virus attacks. 
An effective virus protection software must prevent in- 
fections rather than simply treating them after they have 
already occurred. Anti-virus solutions need a uniform 
plan, with a centralized control, automated virus signa- 
ture updates, and support for multiple platforms ; proto- 
cols, and file types. 

Computer Viruses 

[0005] A computer virus is any program created to re- 
produce itself. A virus reproduces itself by attaching it- 
self to programs, files, or even to boot sectors of disks. 
A virus is activated when the infected file or disk is 
opened or accessed. Once a virus resides in a memory, 
it can attach itself to the next file or disk accessed, and 
so on. A virus may be designed to do harm. A virus may 
also have unintended consequences by overwriting im- 
portant computer information and by causing costly in- 
conveniences to users and network managers. There 
are four general types of computer virus: 

• File Viruses (including macro viruses), which are 
attached to files; 



• Boot sector Viruses in which the boot sectors of 
floppy or hard disks are infected; 

• Master Boot Record (MBR) Viruses which infect 
the disk master boot record; and 

5 • Multi-partite Viruses that are a combination of a 
file virus and a boot sector virus. 

Virus Disguises 

w [0006] Viruses need to avoid detection in order to suc- 
ceed in corrupting target computers. Simple viruses, 
with easily detectable signatures are giving way to more 
sophisticated virus types: 

15 • Polymorphic Viruses : they change their signa- 
ture, or profile, each time they are activated so that 
a fixed signature filter will miss them. 

• Stealth Viruses : they attempt to hide their pres- 
ence by intercepting interrupt services and by feed- 

20 jng back false information to anti-virus products and 
end users. 

• Encrypted Viruses : they are delivered within an 
encrypted file and are undetectable by a simple an- 
ti-virus. 

25 

Sources of Infection 

[0007] Every improvement in network and communi- 
cation technologies opens new avenues through which 
30 viruses can infect your system. Most of former viruses 
were boot sector viruses, in which the boot sectors of 
floppy or hard disks were infected. 

Macro Viruses 

35 

[0008] As stated earlier, the creation of macro viruses 
has changed this environment dramatically. A macro vi- 
rus is a set of instructions comprising powerful macro 
routines initially designed for word processing and 
40 spreadsheet applications. These macro languages en- 
able a myriad of useful functions which can be imbedded 
into a document and which can be executed when the 
document is opened for view or use. 

45 internet 

[0009] With the exploding development of the Inter- 
net, viruses have catastrophic possibilities. The Internet 
introduces two different virus threats. 

50 

* The first threat is caused by the download of files 
comprising viruses when these files are browsed or 
transferred using for instance FTP (File Transfer 
Protocol) routines. Public shareware (shared soft- 
55 ware) and executable routines of all types, including 
formatted presentations, are a growing source of vi- 
rus infection. Furthermore, new Internet virus 
threats are beginning to appear in the form of mali- 
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cious JAVA and Active-X applets. 

• The second threat comes from electronic mail (e- 
mail). Most Internet e-mail systems provide a very 
rich capability to attach formatted documents to 
mail sent over the network. These e-mail messages 
can be broadcast to individuals or groups of individ- 
uals with the simple stroke of a key! Infected docu- 
ments or files can flood a corporate network through 
gateways and mail servers. As networking, tele- 
communications, remote access, message sys- 
tems supporting attachments of all kinds become 
more and more common, viruses will exploit these 
new electronic pathways to attack systems that 
were heretofore unreachable. 

Groupware Complications 

[0010] A third trend in networking also exacerbates 
the virus threat: the trend towards the deployment of 
Groupware applications such as Lotus Notes, Microsoft 
Exchange, Novell Groupwise, ... 
Since the active and repeated sharing of documents 
over the network is at the core of these applications, they 
represent a fertile ground for the deployment of macro 
viruses. A Groupware application not only acts as a re- 
pository for shared documents, but : due to its collabo- 
rative function, it simultaneously broadcasts files to as- 
sociated work groups. The broadcast of files significant- 
ly multiplies the possibility of accidentally deploying mail 
infected by attached macro viruses and makes Group- 
ware protection a high priority. 

Symptoms of Virus Infection 

[001 1 ] Most viruses attempt to remain undetected as 
long as possible to extend their destructive influence. 
Therefore, most viruses do not produce any recogniza- 
ble profile or signature that would allow to trap them by 
scanning the software. However, viruses perform ac- 
tions that do not look like normal computer operations 
or user operations. These abnormal actions can be de- 
tected by intelligent anti-virus software. Fortunately, 
many viruses have telltale symptoms and may inadvert- 
ently give off signals that can alert users and virus pro- 
tection software to their presence. 
[0012] Some of these symptoms include: 

• Increase in byte length of files, 

• Alterations of a file's time stamp, 

• Delayed program loading or activation, 

• Reduced performance, 

Lower system resources, available memory, disk 
space, 

• Bad sectors on floppies and hard drives, 

• Strange or non-standard error messages, 

• Non-standard screen activity, display fluctuations, 

• Program inoperability (failing to execute), 

• Incomplete or failed system boots, and 



• Uninitiated drive writes. 
Anti-virus Software Overview 

5 Detecting a Virus 

[001 3] Viruses are becoming increasingly sophisticat- 
ed and : as such, can defeat simpler, single dimension 
software packages. To be effective, the anti-virus soft- 
10 ware must include special-purpose, distributed applica- 
tions. Applications can detect viruses using five distinct 
methods: 

• Signature Scanning; This method compares the 
'5 content of files against a database of virus signa- 
tures. This method requires frequent updates of the 
database to ensure the identification of new and 
changing signatures. 

• Integrity Checking: This method compares the 
20 profile of current files and disk areas against an ar- 
chived snap shop of these same items. The detect- 
ed differences may indicate the presence of a virus. 
Check summing is the most common type of integ- 
rity checking. Unfortunately, integrity checking is 

25 generally not effective against modern stealth virus- 
es, so further detecting means are needed. 

• Heuristic Analysis: An artificial intelligence moni- 
tors virus-like behavior, such as trapping certain in- 
terrupt services or attempting unlikely actions such 

30 as reformatting the hard disk. 

• Polymorphic Analysis: Polymorphic viruses are 
difficult to detect because they constantly change 
their look, particularly when they are encrypted or 
when they use stealth techniques to hide their pres- 

35 ence. A polymorphic analyzer will move any sus- 
pect file to a separate, protected, location in the 
computer and will execute it there to see if it exhibits 
any virus-tike behavior. 

• Macro Virus Analysis: A specifically designed an- 
40 ti-virus software detects macros in files and tests 

them before execution. 

Archived and Compressed Files 

45 [0014] In addition to the support of these five types of 
virus analysis, an effective anti-virus system must also 
be able to scan archived and compressed files. Zip (or 
Pkzip) and Microsoft Compression are the most com- 
mon tools for archiving and compressing a file. A virus 

so can hide inside a compressed archive, and can remain 
dormant or unnoticed until the infected file is extracted 
and released into a system. The minimum for an efficient 
anti-virus system is to be able to scan most current types 
of archives to identify viruses stored within the files they 

55 contain. 
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Frequency of Database Signature Update 



RSA, Diffie-Hellman or DSA public key. 



[001 5] Finally, the ability of a virus software to prevent 
virus attacks is determined by its ability to maintain an 
updated virus signature database. Any anti-virus soft- 
ware must have an associated, easily accessible Web 
site, or some other online source of information, where 
regular virus database updates can be retrieved. Prod- 
ucts that automate this update process by using an In- 
ternet connection to regularly collect new information 
have a clear advantage in this regard. 

Real Time and Scheduled Virus Scanning 

[001 6] M ost anti-virus software can perform a scan of 
a computer in order to detect and possibly treat the vi- 
ruses found at that time. This process is called scanning. 
Scanning a computer for viruses can occur: 

• at regular intervals under the control of a scheduler, 
or 

as an on-demand operation manually executed, or 
as an event-activated operation (usually in re- 
sponse to some recognizably "illegal" behavior by 
a potential virus). 

[0017] In addition, viruses can be detected in real 
time, when they are received. This capability is impor- 
tant because if viruses can be detected when they at- 
tempt to enter within a system (computer, data reposi- 
tory, server...), then it is possible to prevent them from 
corrupting other files. Oftentimes, a scheduled scan 
may occur after a virus has already entered within a 
computer and has corrupted other files. Obviously, the 
earlier a virus can be detected, the better. 
[0018] To be truly useful, an anti-virus software must 
have the ability to perform all types of scans. 

Certificate 

[001 9] A Certificate is a structure that contains a pub- 
lic value (i.e. a public key) associated with an identity. 
For instance, within a X.509 Certificate, the public key 
is bound to a "user's name". A third party (a Certificate 
Authority) attests that the public key belongs to the user. 
A X.509 Certificate is a very formal structure and com- 
prises different elements: 



SubjecLThis is the "user's name" (the Subject can 
be any identity value). so 

issuer: This is the name of the third party that has 
issued/generated the certificate. This third party is 
the Certificate Authority (CA). 

55 

Public Key Value: This is the public key of a public/ 
private key pair. An associated field defines the pub- 
lic key algorithm that must be used, for instance a 



• Validity 7 Two fields are used to define the period of 
validity (valid from date 1 and valid to date 2). 

• Serial Number: This field provides a unique Certif- 
icate serial number for the issuer. 

• Signature: The signature is an encrypted digest 
generated by the Certificate Authority (CA) for au- 
thenticating the whole certificate. The digest results 
from the hashing of the Certificate. The digest is en- 
crypted using the CA private key. The encrypted di- 
gest which is the signature, "certifies" that the Sub- 
ject is the "owner" of the public and private keys. 

Certificate Verification 

[0020] The Certificate needs to be verified to ensure 
so that it is valid. This is a quite complex process. The ver- 
ification by an end user of a Certificate comprises the 
checking of the following elements: 

Valid (or any) Subject and Issuer names are defined 
*5 in the Certificate. 

• The Certificate is not expired (checking of the Va- 
lidity period field). 

• The Certificate has not been revoked (this may be 
determined by obtaining a current Certificate Rev- 

30 ocation List from the CA). 

• The signature on the Certificate is valid (the signa- 
ture is not verified by using the Certificate's public 
key but by using the CA public key). 

35 [0021] The method forvalidating the signature is quite 
simple, and comprises the steps of: 



• extracting the issuer's name (CA name) from the 
Certificate; 

• locating the issuer's Certificate (CA Certificate) or 
the issuer's public key (CA public key). 

• checking that the end user's Certificate signature 
was generated by the issuer (CA) using the issuer's 
public key (CA public key). 

[0022] Certificates are generated by a Certificate Au- 
thority (CA). Two main methods can be used: 

• Centralized Generation: The private/public key 
pair is generated by the end user (defined in the 
subject field of the Certificate). The public key is di- 
rectly provided by the end user to the CA software 
to create a Certificate. The Certificate can be pro- 
vided to another end user via any suitable channel. 
The channel does not have to be secure because 
a Certificate is a self protecting structure (given the 
CA's signature). 
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• Distributed Generation: The private/public key 
pair is generated by the end user. The end user re- 
quests the CA to build a Certificate including the end 
user public key. The public key is then sent to the 
CA for certification. If the request is valid then the s 
CA returns a Certificate associating the user identity 
with the user public key to the end user. 

[0023] Of course these two methods can be combined 
in any system, because trusted CA keys are generated 10 
by the Certificate Authority (CA). 

Objects of the invention 

[0024] Current anti-virus method are becoming more is 
and more complex due to: 

• the number of viruses, 

• the difficulty to find them, and 

• the fact that their signature can change with time or 20 
environment. 

Virus are coming from everywhere and especially from 
the Internet network. The time required to check a disk 
within a computer system, becomes more and more im- 25 
portant. Furthermore, the checking of a disk involves the 
use of resources which may prevent the normal use of 
the computer system. 

[0025] An object of the present invention is to improve 
current anti-virus methods and to provide a new method 30 
using file Certificates similar to X.509 Certificates used 
to authenticate an identity. A specific process associ- 
ates a Certificate with a file to speed up and improve the 
anti-virus processing. 

[0026] It is another object of the present invention to 35 
associate files with a Certificate in view of simplifying 
the anti-virus processing of said files. 
[0027] It is another object of the present invention to 
validate a file against all known viruses. A Certificate is 
added to the file. The Certificate includes a signature 40 
made by a trusted server. This signature avoids locai 
computer systems to check this file for ali existing virus. 
The trusted server validates the file against all known 
viruses. This server can use one or several anti-virus 
checkers. In case of new virus only the certificates are 45 
changed or updated. The only process performed by the 
local computer system is to verify the file against the 
signature included in the Certificate. 
[0028] It is another object of the present invention to 
drastically simplify the computing resources used for vi- so 
rus detection. Files on Web Servers are downloaded 
with their certificates suppressing the risk of virus. The 
full anti-virus is done once instead of being done locally 
on each computer system. 

[0029] It is another object of the present invention to 55 
generate a virus-free Certificate associated with a file 
using a trusted Anti-virus Certificate Authentication 
Server. 



[0030] It is another object of the present invention to 
use this virus-free Certificate on a workstation to per- 
form an anti-virus detection. 

Summary of the invention 

[0031] The present invention relates to computer vi- 
rus and more particularly to a method, system and com- 
puter program for using a virus-free file certificate. 
[0032] The method, for use in a server or client sys- 
tem, comprises the steps of: 

• determining whether a virus-free certificate is asso- 
ciated with a file; 

if a virus-free certificate is associated with the file: 

• authenticating the virus-free certificate, said virus- 
free certificate comprising a certificate signature; 

• authenticating the file, said virus-free certificate 
(200) comprising a file signature, said file signature 
certifying that said file has been declared virus-free 
by a virus-free certificate authority. 

Brief description of the drawings 

[0033] The novel and inventive features believed 
characteristics of the invention are set forth in the ap- 
pended claims. The invention itself, however, as well as 
a preferred mode of use, further objects and advantages 
thereof, will best be understood by reference to the fol- 
lowing detailed description of an illustrative detailed em- 
bodiment when read in conjunction with the accompa- 
nying drawings, wherein : 

• Figure 1 describes the different entities involved in 
the anti-virus system according to the present in- 
vention. 

• Figure 2 describes the content of a virus-free Cer- 
tificate according to the present invention. 

• Figure 3 is a flow chart of the method of requesting 
and generating a virus-free Certificate for a file ac- 
cording to the present invention. 

• Figures 4a and 4b are a flow charts of the method 
of using a virus-free Certificate In a workstation ac- 
cording to the present invention. 

Preferred embodiment of the invention 

Introduction 

[0034] Figure 1 describes the different entities in- 
volved in the anti-virus system disclosed in the present 
invention. In most of the cases, the file that the Client 
Workstation (100) requires, is stored in a Web / File 
Server (101). A Certificate, stored in a directory within 
the Web / File Server (101), is associated with this file. 
The Certificate is provided by a Virus-Free Certificate 
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Authority Server (1 02) after request. Said request is sent 
by the Web / File Server (101) to the Virus-Free Certif- 
icate Authority Server (1 02) through a LAN / WAN (Local 
Area Network / Wide Area Network) (1 03) which can in- 
clude the Internet network. The Client Workstation (1 00) 5 
then downloads both file and associated Certificate in a 
directory and asks its anti-virus program to check the 
file. This checking process does not use any standard 
anti-virus program but is based on the previously down- 
loaded Certificate. The only verification required for de- 10 
termining whether the file is virus-free or not, is the ver- 
ification of the signature comprised in the Certificate. All 
the above mentioned method will be better understood 
with respect to Figures 2, 3 and 4a/4b. 

15 

Virus-free Certificate 

[0035] Figure 2 describes the content of a virus-free 
Certificate according to the present invention. The virus- 
free Certificate reuses the standard X. 509 certificate for- 20 
mat. It contains the signature of the file and therefore is 
bound to this file. The main difference between a X.509 
Certificate and the virus-free Certificate is that the virus- 
free Certificate comprises: 

25 

• an anti-virus name and level; 

• a signature of the file. 

[0036] The virus-free Certificate (200) includes the 
following fields: 30 

File name (201): This is the "name" of the file pro- 
tected that the virus-free Certificate protects. 

• Issuer (202): This is the "name" of the third party 35 
that issued/generated the virus-free Certificate. 
This third party is the Virus-free Certificate Authority 
(VCA). 

• Public Key Value (203): This is the public key of a 40 
public/private key pair. An associated field defines 

the public key algorithm that must be used to check 
the file signature, for instance a RSA , Diffie-Hell- 
man or DSA public key. The public key is provided 
by the Virus-free Certificate Authority which uses « 
the corresponding private key to build the signature 
of files. So the same private/public key pair may be 
used to build several virus-free Certificates from the 
same issuer. This public key within the virus-free 
Certificate is preferably used instead of the Virus- so 
tree Certificate Authority public key which is used 
to validate only the present certificate signature and 
not the file signature, A public key for decrypting the 
imbedded signature is added within the virus-free 
Certificate because the Virus-free Certificate Au- 55 
thority public key is generally longer and more com- 
plex. The validity of keys may also differ between 
the Virus-free Certificate Authority public key and 



the virus-free Certificate public key. Anyway, be- 
cause the virus-free Certificate is signed by the Vi- 
rus-free Certificate Authority, the use of the virus- 
free Certificate public key is secure. 

Validity (204): Two fields are used to define the pe- 
riod of validity (valid from date 1 and valid to date 2). 

Serial Number (205): This field provides a unique 
virus-free Certificate serial number for the issuer. 

Certificate Signature (206): The certificate signa- 
ture is an encrypted digest generated by the Virus- 
free Certificate Authority (VCA) for authenticating 
the whole Certificate. The digest results from the 
hashing of the virus-free Certificate. 

The digest is encrypted using the VCA private 
key. The certificate signature results from the en- 
crypted digest and "certifies" that the file signature 
is encrypted by the private key associated with the 
virus-free certificate public key (203). The Virus- 
free Certificate Authority (VCA) public key is differ- 
ent from the virus-free Certificate public key and is 
either preloaded in the web browser or given by a 
trusted entity. The VCA public key is used to retrieve 
the original hashing of the full certificate. The Virus- 
free Certificate Authority (VCA) can use the same 
set of virus-free certificate private /public keys (203) 
for all the files generated during a given period of 
time so the cross-checking of the issuer authentica- 
tion can be easily performed time to time, when a 
new set of keys is used. Once the virus-free Certif- 
icate public key for a issuer is validated, it can be 
reused for several files certified by the same issuer 
which reduces the number of virus-free Certificate 
public keys. 

File Signature (207): The File Signature is verified 
using the public key value given in the virus-free 
Certificate 

Anti-virus Checker (208): This field gives an indi- 
cation of how the virus-free Certificate has verified 
that the file was virus-free. The Anti-virus Checker 
comprises the name and the level of the anti-virus 
program. Several anti-virus programs and levels 
may be appended to reinforce the efficiency of the 
anti-virus detection. 

Certificate Structure (209): This field describes 
the size and the content of the virus-free Certificate 
fields. The number or anti-virus program is defined 
in this field. 

• If the virus-free Certificate uses a standard for- 
mat (minimum size of a virus-free Certificate), 
this field is optional. 

• If the size of the virus-free Certificate is above 



6 



BNSDOCID; <EP 1315087A2J. 



11 



EP 1 315 067 A2 



12 



the size of the standard format (above the min- 
imum size), this field is mandatory and defines 
the size of the fields comprised in the virus-free 
Certificate. 

5 

Virus-free Certificate Generation 

[0037] Figure 3 describes the process of requesting 
a virus-free Certificate for a file located on a Web Server 
or on a File Server (101). Nothing prevents workstations 10 
(1 00) to request a Certificate Authority (1 02) to build vi- 
rus-free Certificates in real time but the most appropriate 
way to do is to let the Web / File Servers (101) send 
requests to the Certificate Authority (1 02) to build virus- 
free Certificates and to let them store the files and as- 15 
sociated anti-virus Certificate together. The method of 
requesting and generating a virus-free certificate com- 
prises the following steps: 

• (300) When a new file requires a virus-free Certifi- 20 
cate, the requester, Web /File Server (101) or work- 
station (100), sends a virus-free Certificate request 
message to a Virus-free Certificate Authority (VCA) 
Server (1 02). Either the file is sent to the Virus-free 
Certificate Authority (VCA) Server (1 02) in addition 25 
to this request message or the checking / signature 

is done on the Web/ File Server (1 01 ) or workstation 
(100) where the file is stored. The request may 
specify the anti-virus checking method or the use of 
a particular anti-virus program. 30 

• (301) The Virus-free Certificate Authority (VCA) 
Server starts by checking the file. 

• (302) The Virus-free Certificate determines whether 3s 
the file is virus-free or not: 

If a virus is detected, 

• (307) the VCA Server answers the request- 40 
er with an information concerning the de- 
tected virus. 

• (308) Eventually, the VCA Server sends 
back to the requested a corrected file. 45 

If no virus is detected, 

• (303) A signature of the file is established. 

50 

• (304) The virus-free Certificate is prepared 
with this signature. 

• (305) The virus-free Certificate and the re- 
quester identification, are then stored in the 55 
VCA. The requester identification may in- 
clude the file location within the Web / File 
Server or workstation. The file location is 



useful when the requester needs a regular 
and automatic update of the virus-free Cer- 
tificate (for instance, when the virus-free 
Certificate expires or when a new level of 
anti-virus program is provided). In that 
case the VCA can access the file and can 
update the virus-free Certificate without 
any action from the Server or workstation. 

• (306) Finally, the virus-free Certificate is 
sent to the requester. 

[0038] For a better understanding, the VCA is shown 
in the present embodiment as an independent Server. 
However, the VCA can be located within a Web / file 
Server (101). It is possible for a master Certificate Au- 
thority server to delegate virus-free Certificate estab- 
lishment to trusted servers or workstations. 

Virus-Free Certificate Utilization 

[0039] Figures 4a and 4b describe the process of us- 
ing the virus-free Certificate in a workstation according 
to the present invention. A File is downloaded with its 
free-virus Certificate onto a workstation. The anti-virus 
program performs a checking on this incoming file. The 
anti-virus program can also check all files assigned by 
configuration. Some files may have an associated virus- 
free Certificate, other fifes may have no Certificate. The 
present method of a using a free-virus Certificate in a 
workstation comprises the following steps: 

• (400) When scanning files, the anti-virus program 
first looks for the virus-free Certificate associated 
with the file to check. The virus-free Certificate may 
be in the same directory as the file or in a specific 
directory with all free-virus Certificates. Other set- 
tings may be defined but the two settings above are 
the these used in the present embodiment. 

• (401 ) The virus-free program looks for the virus-free 
Certificate: 

If a virus-free Certificate for this file is not found: 

• (402) The process goes on as described in 
the background art. 

• (403) The process goes on by checking the 
next file. 

If the virus-free Certificate for this file is found: 

• (404) The virus-free Certificate is authenti- 
cated using the certificate signature and 
the VCA public key. The VCA public key is 
in the workstation or if not must be retrieved 
through a secure channel. The VCA server 
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may be authenticated by another CA hav- 
ing the required public key. 

• (405) Date of expiration, issuer name (VCA 
name), in addition to the certificate signa- 
ture determined in the previous step (404) 
are checked and validated. The anti-virus 
program may also be checked and in par- 
ticular levels used to build the Certificate 
which may or may not be accepted by the 
local anti-virus program depending on pre- 
determined rules. 

• (406) If the virus-free Certificate is not valid 
or authenticated with some obsolete or non 
matching rules, a log is performed in order 
to process on real time or on batch mode 
a refresh action on the VCA to update the 
Certificate in order to match the rules and 
dates. When received the new Certificates 
will allow to process again these files for 
anti-virus checking. 

• (407) If the virus-free Certificate is fully au- 
thenticated, the file signature is verified us- 
ing the public value key included in the vi- 
rus-free Certificate. The public value key 
must match with the file signature also in- 
cluded in the virus-free Certificate. 

• (408) The file signature is checked. 
If the file signature is OK, 

• (409) The next file is checked. 
If the file signature is not OK, 

• (41 0) A log error is performed. 

• (411) The normal anti-virus program is ac- 
tivated to check this suspect file. 

• (412) Finally, the next file is checked. 

[0040] The Log Error file is processed at the end of 
the file checking and may ask the VCA to check the file 
again in order to produce another virus-free Certificate. 
If a virus is found on this file, the security administrator 
will retrieve ali available information to understand 
where the virus was introduced, who introduced it... 

Advantages 

[0041] 

♦ The proposed invention provides a better and faster 
way for checking files against viruses. 
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• Servers offer a better security for all the files they 
send to their clients. 

• The full anti-virus checking is performed once on 
the virus-free Certificate Authority (VCA) Server. 

5 • A Certificate update method is provided. 

• Normal ant-virus processes may be used as backup 
and may handle files without Certificate. The com- 
patibility with existing anti-virus programs is easy 
because a software supervisor can 

w 

• verify virus-free Certificates for files having 
one, and 

• rely on and call any anti-virus program to per- 
form a state of the art virus detection for other 

'5 files. 

• The present invention is 

• for users, in line with current security strategies 
20 based on Certificate Authority and Certificates, 

and 

• for files, an extension that can be easily de- 
ployed. 

25 [0042] While the invention has been particularly 
shown and described with reference to a preferred em- 
bodiment, it will be understood that various changes in 
form and detail may be made therein without departing 
from the spirit, and scope of the invention. 

30 

Claims 

1 . A method, for use in a server (1 01 ) or client (1 00) 
35 system, of determining that a file is virus-free char- 
acterised in that it comprises the steps of: 

• determining (400) whether a virus-free certifi- 
cate (200) is associated with a file; 

40 

if a virus-free certificate is associated with the file: 

• authenticating (404) the virus-free certificate 
(200), said virus-free certificate comprising a 

45 certificate signature (206); 

• authenticating (407) the file, said virus-free cer- 
tificate (200) comprising a file signature (207), 
said file signature certifying that said file has 
been declared virus-free by a virus-free certifi- 

50 cate authority (102). 

2. The method according to the preceding claim 
wherein said step of authenticating (407) the file 
comprises the further steps of: 

55 

• decrypting the file signature (207) using a pub- 
lic key (203) comprised in the virus-free certifi- 
cate (200). 
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• hashing the file to generate a file digest; 

• comparing the decrypted file signature with the 
generated file digest. 

The method according to any one of the preceding s 
claims wherein the step of authenticating the virus- 
free certificate comprises the further step of: 

• validating the virus-free certificate. 

10 

The method according to any one of the preceding 
claims wherein the step of validating the virus-free 
certificate comprises the further step of: 

• determining whether the virus-free certificate is is 
valid or not; 

If the virus-free certificate is not valid: 

• requesting a virus-free certificate update or an 
updated virus-free certificate update to a virus- 20 
free certificate authority (1 02). 

The method according to any one of the preceding 
claims wherein the virus-free certificate (200) fur- 
ther comprises: 25 

• a file identification (201); 

• a virus-free certificate authority identification 
(202); 

• a public key (203) for decrypting the file signa- 30 
ture; 

• a indication of the virus-free certificate validity 
(204). 

A server (101) or client (100) system, comprising 35 
means adapted for carrying out the steps of the 
method according to any one of the preceding 
claims. 

A computer program comprising instructions for to 
carrying out the method according to any one of 
claims 1 to 5. 
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